Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity NewsHospitals & Medical Centers

5 Minutes with Saad Gul on LifeSpan's data breach

5 Minutes With
August 21, 2020

Recently, the U.S. Department of Health and Human Services (HHS) concluded its investigation on the Lifespan Health System data breach, which took place in 2017. As a result, the non-profit health system based in Rhode Island has agreed to pay $1,040,000 to the Office for Civil Rights (OCR) at the HHS and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the theft of an unencrypted laptop.  

The breach affected 20,431 individuals. In addition to the monetary settlement, Lifespan has agreed to a corrective action plan that includes two years of monitoring. 

Here, we speak to Saad Gul, Co-Chair of the Poyner Spruill, LLP, privacy and cybersecurity team, and learn about the case, what it means for data security professionals, why this case emphasizes the importance of encrypting all mobile data devices and why the HSS ruling should be a warning to all companies with HIPPA information. 

 

Security magazine: What is your title and background?

Saad Gul:  I’m a partner with Poyner Spruill LLP in Raleigh, N.C. I’ve been a computer geek going back to my Commodore 64 in 1986. I worked at the Computer Center while attending Davidson College. After graduation, went to work for Cambridge Technology Partners out of Cambridge, Massachusetts.

It sounds like the 1950s now, but the late 1990s was a very exciting time. A lot of what we see now (electronic reservations, payments through phones, Uber, Amazon, RFID) was just getting started, or was on the drawing board.

Then when I had enough of consulting, I went to law school. I clerked for the Chief Judge of the North Carolina Court of Appeals, and a Justice of the North Carolina Supreme Court. Then, I joined Steptoe & Johnson LLP in Washington, D.C.

Computer issues began showing up in our matters. First on the periphery, and then at the heart of the matter. Insurance was a big one. Contracts was another. In many ways, Steptoe was the heart of cybersecurity law because of Stewart Baker. Stewart had been General Counsel of the US National Security Agency (NSA). He’s probably the expert in this area.

So it drew my interest. A couple of moves later, a slot at Poyner opened up. I recalled Poyner as a highly respected firm from my clerking days. And I had friends there, so it seemed the natural transition. I am still here four and half years later.

 

Security magazine: As a result of the investigation, what will Lifespan Health System Affiliated Covered Entity have to implement?

Saad Gul: Well, there is the fine of a million dollars obviously. And then there is the two-year Corrective Action Plan.

For readers who are interested in the full nuts and bolts of the plan, it is available on the HHS OCR website. But I read it to require five major steps:

  • First, LifeSpan must disclose details about its affiliated covered entities to HHS.
  • Second, it has to revise its Business Associate Agreement (BAA) policies. HHS must review and approve the policies. Lifespan must designate an officer with the responsibility for overseeing BAAs. The officer also evaluates Lifespan’s relationships to assess the need for a BAA.
  • Three, it must develop device control procedures. Again, HHS will vet and approve these procedures.
  • Fourth, Lifespan must train employees and contractors on these device control procedures. It must investigate any potential violation of the procedures. Violations must be reported promptly to HHS.
  • Finally, Lifespan must submit a compliance report to HHS. This verifies that the new policies and procedures are in place. And Lifespan must confirm that personnel have been trained on the new policies and procedures.

 

Security magazine: What does this mean for Lifespan and other health systems, especially those who suffer data breaches?

Saad Gul: It means that an ounce of prevention is worth a pound of cure. Look, with COVID-19, folks are appreciating the value of their health information.

Many of the steps required by the Corrective Action Plan are good cyber-hygiene practices anyway. Health systems should be looking at their BAAs. They should be assessing if BAAs cover all the business relationships they should. They need policies concerning every device that has health data. And personnel should be trained.

The message is “you need to be doing this.” HIPAA requires it. The Security Rule requires it. The Privacy Rule requires it. And if you are not going to do it – not out of malice, but because its not a priority – then HHS will come make you do it.

So if you have HIPAA protected information, be ahead of the curve. Do what you should be doing. Do it before a mishap. Because the cleanup is going to be messy. It is going to be expensive. And you’re going to need a lot of approvals. And get a lot of permissions. For a long time.

Do yourself a favor. Protect your data proactively. Save the heartburn.

 

Security magazine: What does this mean for all data security professionals?

Saad Gul: Look, it’s the fundamentals. It is always the fundamentals. HIPAA is 24 years old. The details have evolved. But the basics have not.

Its like diet and exercise. Everyone knows they should. Everyone would like to. But they often don’t. Well, everyone knows they have to protect data. Everyone knows that if you are going to transfer data, you need a BAA. You need a risk assessment. You need to monitor threats. You need backups for ransomware. You need encryption. And there’s probably a dozen or so fundamentals that everyone in the industry knows.

So for security leaders, the bottom line is simple, if brutal. The technology may be complex. But the compliance is not. Go ahead and do it. Compliance, security, they tend to be high importance, but low priority. It is always the item that can be deferred to the next quarter. Something that be cut – temporarily of course – from the budget.

What HHS is saying is, be careful with that. You’re not taking a calculated risk. You’re gambling with the security of patient’s data. And if you lose that bet, whether through an incident, or something else bringing you on HHS radar, that is going to cost you heavily. Not just in dollars. Not just in remediation. But in terms of autonomy. In terms of having to get your compliance papers approved. In terms of having HHS watch you for years.

So do yourself a favor. Take those steps now. On your own terms. Before HHS makes you do it on theirs.

 

Security magazine: What is the importance of encrypting all devices which may generate data?

Saad Gul: Think of encryption like a parachute. Or like money in the bank. Hopefully you have a good system in place. Everything works like it should. You don’t need the parachute. And you don’t need to draw on the money in the bank. No harm done. It's there.

But real life, as we’re all too aware now, is messy. It does not work that neatly. There are unanticipated events. The best laid plans go awry. It’s Murphy’s law of combat - you plan for the enemy to attack from all four directions. The enemy will always opt for the fifth one.

So if you have an issue that you did not anticipate, encryption is your insurance. Maybe someone accessed your data in some unanticipated way. Remember, even the NSA left key tools on an unsecured server accidentally.

Well, if your data is compromised and it is encrypted, you have a parachute. The exfiltrator does not actually have access to the data itself. In most cases, it's not a breach. Which means you’re spared all the headaches that go with a breach: regulators, mandatory reporting, required notices, loss of goodwill, the embarrassment.

KEYWORDS: cyber security data breach healthcare security risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • 5 m w Samuel

    5 minutes with AJ Samuel – Why legal teams must quarterback data breach responses

    See More
  • 5 minutes with Bahar

    5 minutes with Michael Bahar - The aftermath of the SolarWinds Orion breach

    See More
  • 5mw Joey Johnson

    5 minutes with Joey Johnson - Safeguarding sensitive healthcare data from cybercriminals

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • highriseproductphoto

    High-Rise Security and Fire Life Safety, 3rd edition

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing